Introduction to LTSC
      Back to home
      1. Macrium Reflect LTSC
      2. Introduction to LTSC

      Macrium Image Guardian

      - What is Macrium Image Guardian?

      - Installing Macrium Image Guardian for New Installations

      - Adding Macrium Image Guardian to Existing Installations

      - Macrium Image Guardian Settings

      - Settings

      - Email

      - Volumes

      - Events

      - Macrium Image Guardian in Action

      What is Macrium Image Guardian?

      Macrium Reflect LTSC includes the Macrium Image Guardian (MIG) feature, which provides ransomware and accidental deletion protection for Macrium backup files that are stored locally to where Macrium Image Guardian is running.

      image2017-7-23 20:57:47.png

      MIG works by preventing unauthorized delete or write operations from being performed on Macrium backup files by any process that does not have a valid Macrium code signature. 

      This ensures that in the event of a ransomware infection, Macrium backup files will be available to be restored.

      Installing Macrium Image Guardian for New Installations

      When Macrium Reflect is installed for the first time, the 'Custom Setup' page can be used to install Macrium Image Guardian:

      If Macrium Reflect is being installed via the command line, the '-mig' switch can be used to install Macrium Image Guarding:

      C:\Users\Admin\Downloads> reflect_wkstn_setup_x64.exe -mig

      Once MIG has been installed, the computer may need to be rebooted before the Macrium Image Guardian driver is loaded and MIG can provide protection to images stored on the system.

      Adding Macrium Image Guardian to Existing Installations

      If Macrium Reflect has already been installed without Macrium Image Guardian, Macrium Image Guardian can be installed by navigating to the control panel and then selecting ‘Programs and Features’. Select ‘Macrium Reflect <Edition>’ from the list of installed programs, then select ‘Modify’.  

      In the wizard that opens, select ‘Next’ then ‘Modify’. On the next page of the wizard, you can specify additional installation options. Ensure that ‘Install Image Guardian’ is selected, select ‘Next’ and then ‘Install’. 

      Macrium Image Guardian Settings

      Accessing Macrium Image Guardian Settings

      Macrium Image Guardian settings can be changed by selecting the 'Other Tasks' menu in Macrium Reflect and then selecting 'Macrium Image Guardian Settings...':

      The same settings can also be accessed by clicking the 'Settings' link in a Macrium Image Guardian toast notification after a MIG event:

      Settings

      The first page of the Macrium Image Guardian settings is used to control whether Macrium Image Guardian is active on the system.

      When 'Turn on Image Guardian' is selected, two additional options can be toggled:

      Option Description
      Automatically protect Reflect local backup drives When turned on, all saved backup definitions are searched and Macrium Image Guardian is enabled for local backup drives

      When creating a new backup, unprotected target drives will be automatically protected by enabling Macrium Image Guardian on the drive.

      When the PC is restarted, Macrium Image Guardian will be re-enabled on all backup drives. This prevents accidentally leaving your drives unprotected by manually turning protection off.
      Allow RoboCopy to sync and move backup files on protected volumes

      Enables the MS utility RoboCopy to delete and overwrite backup files on protected volumes with the /MOV, /MOVE, /PURGE, and /MIR parameters.

      RoboCopy and Network Shares
      If the source of a /MOVE /MOV or target of a /MIR /PURGE operation is a MIG protected volume on a network share then all delete operations are blocked. This is because RoboCopy 'Rules' can only be applied if the Windows session that's opening the files is the same Windows session that's running RoboCopy. In the case of a network share, since the remote computer is opening the files, Macrium Image Guardian will block all write and delete operations.

      Macrium Image Guardian protection can be disabled using the 'Turn off Image Guardian (not recommended)' option. Macrium Image Guardian protection can also be temporarily to enable specific operations, like manually moving or deleting backup files:

      The 'Current Status' of MIG can also be viewed at the bottom of this page. The available statuses are:

      image2018-10-24_9-41-37.png

      image2018-10-24_9-43-52.png

      image2018-10-24_9-44-28.png

      image2018-10-24_9-43-18.png

      Macrium Image Guardian will only be protecting Macrium backup files while it is in the 'Enabled' state.

      Email

      If email server settings have been configured in the 'Edit Defaults and Settings...' menu of Macrium Reflect. an email can be specified that will receive email notifications when MIG blocks an operation:

      Volumes

      The 'Volumes' page enables MIG to be enabled/disabled for specific local volumes. When MIG is enabled for a volume, the drive icon will change to a Macrium Image Guardian shield. In the example below, drive E: is protected, while drive C: and F: are not:

      The protection status of volumes can also be viewed on the 'Local Disks' tab nested under the 'Create Backups' tab. Volumes that are protected by Macrium Image Guardian are shown with the Macrium Image Guardian shield:

      image2021-5-13_19-44-7.png

      Events

      All Macrium Image Guardian events are logged in the 'Events' tab, which provides a detailed record of the event and when it took place. The events on this tab can be filtered to make finding a particular event easier:

      The list of events that can be seen in this tab is shown below:

      Number
      Event Name
      Severity
      Description

      100

      		 EVT_MIG_SERVICE_STARTED Informational Image Guardian service started
      110 EVT_MIG_DRIVER_STARTED_BY_SERVICE Informational Image Guardian driver started by service
      200 EVT_MIG_SERVICE_STOPPED Informational Image Guardian service stopped
      300 EVT_MIG_VOLUME_PROTECTED Informational Volume (\\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\) is protected
      310 EVT_MIG_BLOCK_VERIFICATION_FILE_ACCESS Informational Blocking process (processname.exe) creating verification file as the process is not Macrium certified
      320 EVT_MIG_BLOCKED_FILE_ACCESS Warning Blocked unauthorised process (processname.exe) accessing file (\\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\Folder\filename.mrimg)
      330 EVT_MIG_USER_PROTECTED_VOLUME Informational User has enabled Image Guardian on volume (\\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\)
      340 EVT_MIG_USER_DISABLED_VOLUME Informational User has disabled Image Guardian on volume (\\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\)
      500 EVT_MIG_ERROR_BAD_EVENT Error Error could not open Image Guardian verification event. Error code = 123
      510 EVT_MIG_ERROR_PROTECTING_VOLUME Error Error protecting volume (\\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\). Error code = 123
      520 EVT_MIG_ERROR_UNPROTECTING_VOLUME Error Error unprotecting volume (\\?\Volume{6a2d53fe-c79a-11e1-b189-806e6f6e6963}\). Error code = 123

      When an unauthorized process attempts to write to, delete, or rename a Macrium backup file the action will be blocked and Windows Event 320 will be generated, this is shown in bold in the table above.

      Macrium Image Guardian in Action

      If a third-party process attempts to modify or delete a protected backup file, the following toast notification will be displayed:

      The 'Events' tab of the Macrium Image Guardian Control app can be checked for more information about the process that was blocked. In the example below, Explorer.exe attempted to modify an image: